Security and data sharing.
Richard, Mark ; Lebl, Leslie S.
THE TERRORIST ATTACKS of September 11, 2001, mark the beginning of
a new era in transatlantic cooperation to combat terrorism. As EU High
Representative for Common Foreign and Security Policy Javier Solana put
it, this cooperation has been "one of the unsung transatlantic
success stories," evolving over the years regardless of the
political climate between the United States and Europe.
While this success has been genuine, counter-terrorist cooperation
at the operational level between the United States and Europe still has
a long way to go. Terrorism and its frequent companion, organized
transnational crime, continue to enjoy many advantages. In Europe, the
role of the EU as an institutional entity in combating terrorism and
organized transnational crime has expanded during the past decade as
Europeans seek to devise a common response to these transnational
threats. However, the way in which this process has occurred has often
caused serious problems among the 27 EU member states and is beginning
to do the same for the United States.
Essentially, EU integration in these fields has been driven largely
by political rather than practical imperative. To advance European
integration, policymakers often drive and propose new structures or
other responses from the bottom up as they have traditionally done. As a
result, EU decisions all too often fall short of their stated goal of
combating terrorism or organized crime. Further, while the need to
respond realistically and effectively to the threats from terrorism and
organized crime has soared, the means for doing so have become ever more
complex. Now as never before, non-law enforcement agencies must be
actively engaged, including those focusing on national security,
diplomatic, military, and economic functions. (1) In the United States,
the federal system creates a complex and often duplicative or
overlapping environment that militates against a holistic response. Now
Europe, as it carves out a role for the EU transcending that of the
member states, is largely replicating that complexity on its side of the
Atlantic.
In this extremely challenging setting, transatlantic disagreements
are to be expected. However, recent disputes, primarily over sharing
personal data--a technical issue about which most people know little or
nothing--are on the verge of disrupting mutually beneficial cooperation.
The potential for serious adverse repercussions will only grow if key
provisions, affecting law enforcement, of the Treaty of Lisbon are
adopted and implemented.
The Treaty of Lisbon, the proposed next stage of EU integration,
was originally scheduled for adoption in 2009.(2) Following the June
2008 "no" vote by the Irish, its future is unclear. Like its
predecessor, the Constitutional Treaty rejected in French and Dutch
referendums, the Lisbon Treaty contains many proposals that, even if
formally rejected, are likely to reappear in some other for. It calls
for new and sweeping revisions of internal EU decision-making procedures
as well as fuller participation of the European Parliament in many law
enforcement and regulatory areas. These provisions could have a dramatic
adverse impact on the ability of the United States (and member states)
to share information and intelligence in a timely and constructive
fashion. The operations of a wide range of regulatory and other civil
agencies either directly or indirectly engaged in combating terrorism
and organized crime could also be adversely affected.
Nor are disputes over the sharing of personal data likely to be
confined merely to the EU and the United States. Rather, as with
policies in other areas such as trade and environment, the EU will be
seeking to have its standards for international exchanges of information
adopted worldwide.
Unfortunately, in the United States, the federal structure greatly
complicates efforts to devise a coherent interagency and
intergovernmental strategy for dealing with the EU. Lack of sustained
senior-level attention to U.S.-EU cooperation, combined with a lack of
analytical and long-term strategic planning capability in many of these
agencies, only compound these problems.
Some of these tensions could be mitigated through proper
implementation by both sides of the soon-to-be-ratified U.S.-EU
Agreement on Mutual Legal Assistance (MLAT). (3) If adopted, the MLAT
could radically improve the flow of information on both sides of the
Atlantic to U.S. and EU law-enforcement, regulatory, and administrative
authorities, in some situations shortening investigations by months if
not years.
Bottom-up or top-down
FOR DECADES, U.S. and European law-enforcement officials have
sought access from each other, in a timely and predictable way, to
pertinent information. Usually cooperation took the form of bilateral
agreements and informal arrangements between, say, U.S. agencies and
their German or French counterparts. Information was typically shared in
a highly compartmentalized structure driven by the relationships among
individual agencies and their foreign counterparts in specific
countries.
In this process, relations across national boundaries traditionally
developed from the bottom up. The agency with a particular problem
generally triggered the development of the relationship. When, for
example, the FBI focused on international organized crime, it ran into
the barrier of Swiss banking secrecy. The Department of Justice, not the
U.S. government as a whole, provided the impetus to approach the Swiss;
a bilateral U.S. -Swiss MLAT was the result. Similarly, U.S. law
enforcement agencies also pursued multilateral arrangements such as
Interpol when those were deemed to be in their interest.
The integration of EU law enforcement and regulatory capabilities
that began in the 1990s has proceeded from the opposite direction. Here
the primary impetus has been from the political level downward, driven
by two imperatives. First, the ministers of justice and interior of the
EU member states see the need, as do their U.S. counterparts, for a
common response to globalized threats. They are well aware that no
single European country can combat terrorism and transnational crime by
itself. Second, however, they and the European political elite in
general perceive EU law enforcement and regulatory integration as a tool
for fostering broader EU political integration. Hence, EU ministers at
their regular meetings agree by consensus to various steps, whether
extending the authority of the European Police Agency (Europol) or
requiring a common system for sharing judicial information. Most of
their decisions are met by foot-dragging and entrenched resistance from
national police and judicial authorities who do not see the operational
benefit of the initiatives adopted by their ministers. This resistance
is only overcome slowly and in stages.
The U.S.-EU relationship that developed after September 11, 2001,
reflects the tension between the agreed objectives and the operational
reality of EU commitments. U.S. authorities, while aware of the twin
political motives of their EU counterparts, saw the EU nevertheless as
an emerging and increasingly important international actor in the
law-enforcement field. They sought to develop their relationship with
the EU in a manner that would add value to the existing bilateral
relationships with European countries, not undercut or supplant these
ties. (4)
But cooperation can bring strains. Since September 11, the United
States and the EU have begun a joint process of mapping out creative
ways to combat the new threats of terrorism and international organized
crime. In the process, they have signed a number of agreements, covering
issues such as the analysis of financial transfer information. (5) or
the sharing of airline passenger data. Many of these initiatives,
however, face legal challenges in Europe. For example, a system to
designate terrorists and terrorist organizations and freeze their assets
is being challenged by critics in the European Parliament and at the
European Court of Justice. (6) While these various U.S. -EU
enforcement-related agreements have improved cooperation, many U.S.
officials fear that the long-term prospects for transatlantic
information sharing are not so rosy. Certainly, every new U.S. proposal
for further cooperation automatically faces an uphill battle in Europe,
usually as a result of doubts about its protection of personal data that
EU authorities share with their U.S. counterparts.
Personal data
HISTORICALLY, U.S. LAW-ENFORCEMENT authorities had little
difficulty sharing personal data reciprocally with their European
counterparts. Generally, absent limitations with respect to the sharing
of evidence obtained by compulsory process, such as a subpoena, personal
data on either side could be shared with foreign counterparts when
necessary. Now, however, the new EU imperative toward integration has
made this issue a major irritant in relations between EU member states
and the United States.
In all of its recent negotiations, the EU as an institution sought
to obtain broad and sweeping protections for personal data: the specific
data relating to the who, when, or how, as well as what specific
information is to be shared and the retention periods for holding it. EU
positions are generally based on the Council of Europe's convention
on data privacy. (7) EU policies are further influenced by the existence
of strong support for civil liberties and data protection in the
European Parliament, as well as an influential network of highly
independent national data-protection agencies that collaborate with the
European Data Protection Supervisor.
In practice, guaranteeing certain and consistent data protection
within the EU is quite difficult. Although all EU member states are
signatories to the Council of Europe convention, each country
nevertheless tends to shape its compliance in accord with its own
traditions and domestic law. Similar differences characterize the
implementation of EU instruments. Hence, for example, the level of data
protection in Germany is much higher and different than that in France.
In addition, many of the 12 new member states, most of which are in
Central and Eastern Europe, have rudimentary systems of protection
coupled with a long history of abuse.
Although EU standards of protection tend to be set very high, the
evidence of public support for these standards is weak. Public opinion
polls repeatedly show widespread support for an enhanced EU role in
combating terrorism; for the most part, there is much less interest in
data protection, either among the public or within member-state
governments. While the EU needs a standard of protection, it is less
clear exactly what that standard should be. The issue of data protection
is also inextricably intertwined in the larger ongoing power struggle
between the central EU institutions and the member-state governments.
EU officials tend to interpret their legal system for data
protection as requiring, inter alia, a rigorous and specific finding of
"adequacy" as a prerequisite for sharing such information with
other countries, including the United States. The actual definition of
"adequacy," however, is in practice elusive and varies from
category to category of data. The U.S.-EU agreements reached to date
have been based on the concept that, while U.S. and European systems
were different, they generally shared the same basic principles and
provided essentially equivalent levels of protection. This result has
generally satisfied the need for findings of adequacy. However, current
EU demands for adequacy, as reflected in some draft EU proposals, would
require, for example, that the United States essentially adopt the most
protective features of the European system, including the creation of a
data-protection agency or agencies completely independent of executive
branch oversight.
The U.S. system contains a variety of oversight mechanisms, such as
the Offices of Inspectors General, the Government Accountability Office (GAO), the Freedom of Information Act authorities, and congressional
oversight powers that have, over time, demonstrated their ability to act
independently. A growing segment of the Congress is demanding closer
scrutiny of these mechanisms and has mandated the establishment of
privacy offices in federal agencies. The Congress is also likely to give
the Privacy and Civil Liberties Board an expanded role in overseeing
data privacy issues in the future.
However, many in the EU largely dismiss the U.S. system as
inadequate. They argue that these various authorities are not
sufficiently independent of the executive branch and do not contain
sufficient breadth of application across different fields: e.g., there
is no single data-privacy supervisor for the U.S. government. There may
be a benefit in providing more oversight within the U.S. system, but it
must be done in a way that is consistent with U.S. law and tradition and
does not diminish the effectiveness of U.S. law-enforcement
capabilities. A completely independent oversight body as sought by
segments of the EU would be contrary to the structure of the U.S.
system, which normally requires that any government agency be subject to
numerous checks and balances--that it be under some form of executive or
congressional control.
Some Europeans have also called for "adequacy" findings
with respect to every category of data, such as credit cards or internet
browsing habits, often with additional "safeguards" for every
class of data or new use of data. In some new proposals, European
insistence on sharing with a third party only when the recipient
(presumably another U.S. government agency) can prove that the data are
not only "useful" but "necessary" could prove an
unrealistic standard for fostering a cooperative relationship. Such
standards work in the opposite direction from the current U.S. mandate
for much wider, quasi-automatic domestic sharing of critical information
among interested agencies.
The United States should not shy away from a discussion of these
issues. For instance, it might prove beneficial to discuss oversight and
transparency issues, especially with regard to bulk data collection,
such as data on internet usage. Significant tensions exist with regard
to its collection, analysis, and dissemination: It is not information or
intelligence predicated on a specific criminal act, but data collected
on all citizens, usually for another purpose, by either a commercial or
governmental entity. Nor has sufficient information been made public
which would help establish the operational, rather than the merely
theoretical, usefulness of such processing. For instance, existing U.S.
oversight bodies as well as the public do not know, even in general
terms, what the benefits have been to date of gathering airline
passenger or other similar data. While there are obviously national
security limitations on what can be discussed publicly, this issue
should be explored in more detail. Ultimately, the U.S. argument for
sharing must also justify the burdens of collection costs as weighed
against the potential threat to personal liberties.
Analyzing the usefulness of any new data-sharing initiatives would
benefit both U.S. and EU officials--the EU is about to embark on many
similar types of data gathering and processing. A more uniform set of
rules could well result in more domestic information-sharing within the
United States. State and local authorities must now cooperate with each
other and with federal counterparts to combat terrorism, yet they lack
clear rules for gathering and sharing personal data. Officials should
not need to worry about venturing too far into gray zones and risking
legal sanctions.
In 2007, in an attempt to alter the piecemeal dynamic described
above, the United States and the EU began in-depth discussions on a set
of common principles that would provide an overarching framework for any
future agreements involving the sharing of personal data. Those talks
concluded in the spring of 2008, (8) with most principles agreed but
several issues still outstanding, such as the ability of European
citizens to sue the U.S. government over its handling of their data.
Some observers are more pessimistic than others regarding the outcome of
this process. They cite the substantial EU political pressures to
restrict data-sharing with the United States, as well as the inherent
difficulty in anticipating all the future categories of personal data
that the two sides may wish to share.
Enter the Treaty of Lisbon
THE TREATY OF LISBON, were it to be enacted, would have a profound
negative impact on the ability of either the EU member states or the EU
central institutions to cooperate efficiently and to share data with the
United States. Implementing many of its provisions would undercut
law-enforcement cooperation and make it more difficult, if not
impossible, to work together effectively in combating terrorism and
international organized crime. Key pitfalls are the unresolved question
of who is in charge of the undefined area of "national
security"; the enhanced role of Parliament and the European Court
of Justice in fields critical to law enforcement; and the potential
impact of the Treaty on new internal and external cooperation
mechanisms.
Who is responsible for national security? The Treaty states clearly
that national security--which is nowhere defined--is the "sole
responsibility of each member state." (9) The EU will not have its
own intelligence collection function under the proposal, nor will there
be an EU version of the CIA. Instead, the EU will rely, as it has until
now, on information from member-state intelligence services (however
defined or viewed under national law) for a whole range of functions.
(10) Nor will the European Court of Justice have jurisdiction over
member-state policy or law-enforcement activity with regard to
maintaining law and order or internal security. (11)
These clauses appear quite straightforward; however, EU
implementation--if history is a guide--will be more complex. Other
treaty clauses confirm that the EU is already a de facto player in areas
usually considered, at least in the United States, to be part of
national security. These include border security, asylum and immigration
policy, public health, infrastructure protection, and civil protection,
all of which relate directly or indirectly to combating terrorism or
transnational crime. Thus, despite the attempt to put this issue to
rest, the treaty instead leaves unresolved the question of what role the
central EU institutions will have in dealing with European
"national security." In the present circumstances, we can
expect the EU to push for greater authority in this field, using an
expansive interpretation of ambiguous clauses.
In the field of law enforcement, the EU must now proceed on the
basis of decisions reached by consensus, or unanimity, among the EU
member states. The Treaty, in an effort to streamline its internal
processes, would instead authorize decision-making on the basis of
qualified majority voting (QMV)--a powerful tool that is already at the
foundation of EU power in areas such as trade. Using QMV would likely
result in a much quicker consolidation of EU authority in areas such as
those related to national security and law enforcement. (12) Taken
together, these measures will very likely result in an accelerated
transfer of some sovereignty aspects from member-state governments to EU
central institutions.
The EU, a relatively new player, has many shortcomings in the area
of justice and law enforcement in general. Its central institutions lack
practitioners' expertise in law enforcement, as operational
capabilities remain with the national governments. The central
institutions do, however, focus on policy. Unfortunately, their policy
expertise is relatively weak in the law-enforcement and national
security areas, as these have until recently been beyond the EU'S
purview.
Typically, the EU focuses much of its attention inward. In this
case, however, it cannot afford to spend years getting its house in
order in terms of the sharing of sensitive information--and only then
figure out how to share such data with other countries. The result could
be European and American lives lost and critical property destroyed
unnecessarily.
An expanded role for the European Parliament and the European Court
of justice. The Lisbon Treaty also creates a new and substantial role
for the European Parliament and other central EU institutions in
overseeing the process for sharing personal data. The Parliament has
already made clear its view that priority must be placed on the
protection of civil liberties, especially the protection of personal
data. Historically, however, it has been precisely in this area that it
has disagreed sharply with other EU central institutions--for example,
regarding EU data retention requirements or the exchange of airline
passenger data with the United States.
If the Parliament acquires the power of co-decision in these areas,
it will strengthen its positions and its role in resolving disputes. It
will lack, however, the capability and expertise to handle and analyze
sensitive data, including classified material, in order to inform
itself. The Parliament will also lack any experience of the operational
complexities involved. Critics accuse the U.S. Congress of similar
failings, yet the Congress has much greater capabilities, born of its
centuries of national security and defense responsibilities, than the
European Parliament is likely to acquire in the short to medium term.
Significantly, European law enforcement has yet to develop an effective
capability at the EU level for making its views known and thereby
ensuring that its concerns receive proper attention.
The relative importance accorded to data privacy will also be
reinforced by supportive clauses in the Treaty related to the 2000 EU
Charter of Fundamental Rights. The Treaty of Lisbon states that the
Charter "shall have the same legal value as the Treaties."
(13) This appears to mean that the EU central institutions shall apply
the Charter's provisions, as shall EU member-state governments when
they are implementing EU law. (14) Since more than half of member-state
legislation is drafted in Brussels, this means that, de facto, the
Charter would be applied very broadly.
Further dark clouds for future law-enforcement cooperation relate
to the role of the European Court of Justice. Over 20 years ago, the
Court ruled that EU law overrides national law, including bilateral
treaties with third countries like the United States. Most likely, in
the future, difficult issues arising under the Lisbon Treaty or any
successor legislation will be referred to the lengthy proceedings of the
Court, despite the fact that the court is unlikely to be privy to the
nuances of how to handle terrorism or other cases involving sensitive
international issues. Court decisions, which will take years to emerge,
are likely to favor a single integrated law-enforcement system to
replace the existing and often contradictory national ones. The
expanding role of the EU could thus infringe directly on existing
bilateral law-enforcement or other ties with EU member-state
governments. In a similar vein, the Council of Europe's Court of
Human Rights will likely become a very active player on these issues,
with similar potentially adverse results.
Thus, notwithstanding certain of its provisions, the Treaty will
extend the oversight role of the European Parliament and the European
Court of Justice in law enforcement without offering any obvious
corrections to their current shortcomings. The final result could be a
formalized and highly cumbersome EU approach that fails to acknowledge
the traditional importance of informal as well as formal ties in both
national security and law-enforcement operations. Its effect would be
opposite from that of the U.S.-EU MLAT, which is designed to expand
bilateral cooperation.
New mechanisms for "enhanced cooperation." The Lisbon
Treaty text, reflecting the internal tensions surrounding
law-enforcement issues, introduces some additional mechanisms designed
to offer flexibility. A member state, for instance, can put on an
emergency brake to stop proposed EU legislation that it believes may
affect fundamental aspects of its criminal-justice system. On the other
hand, at least nine (i.e., one-third or more) of the member states can
pursue "enhanced cooperation" on the basis of the initial
draft proposal. (15)
Some EU integrative measures have already occurred as a result of a
perceived need for enhanced cooperation between various EU member
states. The Schengen Agreement established a common external border and
lifted internal ones; while the Prum Convention of 2005 set up a number
of information sharing commitments, from the exchange of DNA profiles
and fingerprinting data to supplying information to prevent terrorist
offences. (16) In both cases, provisions negotiated among these smaller
groups were subsequently adopted by most or all of the other member
states. While these arrangements may help to compensate for the
overconcentration of authority in central EU institutions that are not
yet configured to exercise it properly, they may also result in
increasing fragmentation and delays within the EU.
Europe is just the start
THE POTENTIAL IMPACT of the Treaty of Lisbon's provisions, if
adopted, suggests that the United States could face a sea change in how
it fights terrorism and organized crime by cooperating with the EU and
its member states. All of its cooperation mechanisms will be up for
grabs, and new solutions will of necessity have to be shaped by both
foreign and domestic policy interests. Yet so far there appears to be
almost no recognition of these potential difficulties on either side of
the Atlantic. (17)
Nor does there appear to be widespread recognition that what goes
on in Europe affects the entire system for international law-enforcement
cooperation. As is the case in other sectors, the EU is dedicated to
seeking to have its standards adopted as widely as possible. When the EU
and the United States agree, together they can set the world
standard--for innovations like those contained in the U.S.-EU MLAT, this
can be a tremendous advantage. But it also means that the United States
can and must expect the EU to pursue international agreements based on
its own principles and interests, regardless of U.S. concurrence. This
is already happening at Interpol, for example, where the EU wants its
rules on data protection to determine the framework imposed on
Interpol's worldwide system. Similar initiatives are likely at the
International Civil Aviation Organization and other international
standard-setting bodies, EU requirements that inhibit the effective
performance of counterterrorism measures can in this way have a very
deleterious impact on U.S. interests, and especially on its ties with
other, non-European countries.
None of these trends bodes well for our ability to cooperate with
the EU in combating terrorism and serious organized crime, despite
individual successes. Unfortunately, U.S. policymakers pay virtually no
attention to this problem. Instead, the U.S. government still acts as if
it can "go it alone," a feeling fed by its compartmentalized
and fractured organization. As issues arise with the EU, individual
agencies feel they benefit from the exercise of autonomy. The Department
of Homeland Security, for example, can negotiate an agreement with the
EU on airline passenger security without much interference from other
agencies or even the National Security Council, as can the Department of
Justice on relations with Europol, or the Department of Treasury
regarding access to bank transfer data. In the case of airline passenger
security, Homeland Security obtained a favorable agreement; in contrast,
the EU extracted significant concessions from Treasury in the dispute
over the transfer of transactions data.
Overall, however, this compartmentalized approach serves only to
weaken the U.S. position. Thus far, the U.S. government at senior policy
levels has paid little attention to the operational problems associated
with information sharing and has failed to develop coherent policies to
reflect its overarching interests and objectives. It needs a strategic
approach that is not driven by partisan or enforcement rivalries. It
will not be able to continue much longer with its current ad hoc approach, which makes a virtue of the very organizational obstacles that
hamper effective cooperation with our international partners, especially
those in the EU.
The promise of the U.S.-EU MLAT
SUCH A STRATEGIC could be developed using the implementation of the
2003 U.S.-EU MLAT as a springboard for change, since it offers the
promise of several innovative U.S.-EU mechanisms for enhanced
cooperation. In recent decades, the United States built a matrix of
MLATS at the bilateral level with individual European countries. Under
these agreements, prosecutors and investigative magistrates can request
that information located in the jurisdiction of a partner be secured in
connection with an ongoing investigation or prosecution, even if it
requires compulsory process to acquire.
The multinational nature of many investigations involving terrorism
and organized crime, as well as the expanding EU institutional role in
judicial cooperation, rendered this matrix increasingly cumbersome,
time-consuming, and obsolete. As a result, a MLAT which will operate at
the EU level was negotiated, along with 27 amended conforming bilateral
agreements. Last fall, the U.S. Senate ratified the package. The MLAT
also requires approval under relevant domestic procedures by the EU
member states. Some 24 of the 27 have already done so, including
Ireland, the member state that voted against the Lisbon Treaty.
The new agreement contains unique provisions which could enhance
U.S.-EU cooperation in a broad range of areas and set future standards
of judicial cooperation internationally. In particular, it holds great
promise for radically improving the flow of information useful to
law-enforcement authorities as well as to regulatory and administrative
agencies. Its features amount to a revolutionary approach to the process
of obtaining cooperation abroad, including the exchange of personal
data. One particularly dramatic improvement involves the sharing of bank
data. Under a traditional MLAT, a great deal of data must first have
been contained in the initial request, especially the name of the bank
where the account in question was located as well as the account number.
In contrast, the U.S.-EU MLAT does not require someone investigating
either terrorism or serious crime to file a formal MLAT request at the
outset with such identifying bank data, which may take years of
investigative effort to acquire. Instead, the party can initially seek
such data if there is reason to believe that an account exists within
the jurisdiction of the requested party.
In another first, the U.S.-EU MLAT envisions the possible creation
of truly international, integrated task forces, not just the coordinated
parallel investigations which are now almost routine. Germany, for
example, could establish a joint task force, comprised of a single
investigative team operating under German law. Other countries with
concurrent jurisdiction over the same offense could assign investigators
to the task force at their discretion.
If the German director asked the U.S. member of the task force for
information on the ownership of a company in Milwaukee, the U.S. member
would go to his own sources--as it is truly a U.S. investigation. No
time-consuming, formalistic MLAT request would be needed, and the
information would be given directly to the joint investigative team.
U.S. authorities could be limited by the claim of double jeopardy if
they sought to prosecute the same individual for the same offense, e.g.,
after Germany or another member of the team had prosecuted the
defendant. However, the benefits in terms of speed and efficiency would
more than compensate for this potential downside. And for the first
time, regulatory and administrative agencies that have the authority to
make criminal referrals to law-enforcement agencies will be able to use
the MLAT to gather information in connection with their investigations.
The SEC, for example, could use it for an investigation of insider
trading involving a terrorist suspect. The only requirement is that, at
the end of day, there is a possibility of making a criminal referral.
Finally, the new MLAT will allow information and evidence provided
in response to a request to be used, at a minimum, for any criminal
investigation or proceeding; for the purpose of preventing immediate and
serious threats to public security; and for use in relevant regulatory
proceedings. This flexibility is consistent with provisions already
agreed by the United States and European Police Agency (Europol) and is
designed to allow governments to respond to immediate threats to public
security. (18) Significantly, the MLAT sets a broad standard for the
subsequent use of personal data once it is transmitted to the receiving
partners. It is unclear what impact adoption of the Lisbon Treaty would
have on implementation of these provisions.
Taken together, these various features contribute to providing a
powerful platform for responding faster and more effectively to the
unique challenges of international crime and terrorism. Gone are the
days when law enforcement officials could work alone on a case, slowly
allowing MLAT requests to wend their way through the legal system of
other countries. The U.S.-EU MLAT would provide a legal basis for the
coordinated effort of bank regulators, customs officials and other
regulatory officials in real time. The new MLAT could also serve as a
template for updating MLATS with other countries in the future. Beyond
these practical enhancements, successful joint implementation of the
MLAT could provide a new impetus for the political compromises necessary
to underpin the continuing, reliable sharing of information, including
personal data, between Europe and the United States. This joint
experience could prove invaluable should the opportunity arise to
revisit the provisions of the Lisbon Treaty.
While the change of U.S. administrations has improved transatlantic
atmospherics, the problems described above will remain and will continue
to pose a major challenge to greater cooperation. Both the United States
and the EU will have to apply considerable political capital and
technical expertise to ensure that their cooperation keeps pace with the
constantly changing threats from terrorism and serious transnational
crime. They must do so in a way that protects civil liberties, including
the protection of personal data, while still allowing effective action
by their law enforcement and regulatory authorities. The challenge is
great, but achieving cooperative success is simply imperative.
Mark Richard served for 20 years as deputy assistant attorney
general in charge of international law enforcement at the Department of
Justice, and for eight years, he was the Department's liaison for
law enforcement affairs at the U.S. Mission to the European Union in
Brussels. Leslie S. Lebl, principal of Lebl Associates, is a former
career Foreign Service officer. She served as minister-counselor for
political affairs at the U.S. Mission to the European Union. This
article is based on research conducted for the Markle Foundation.
(1) Intelligence ties with individual European countries have long
been as essential tool to combat terrorism, although little is said
publicly about them. The U.S. collection and analytical capabilities
generally dwarf those of other countries, in breadth as well as depth of
coverage. Yet European intelligence agencies can often supply the
missing link required to identify terrorists or their organizations.
(2) The formal title is "Treaty of Lisbon Amending the Treaty
on European Union and the Treaty Establishing the European
Community," available at
http://eur-lex.europa.eu/JOHtml.do?uri=OJ:C:2007:306:SOM:EN:HTML. (This
and all subsequent online citations accessed March 9, 2009). Adoption
required the concurrence of all the member states; with the
"no" vote in the Irish referendum on June 12, 2008, the
treaty's futures is uncertain.
(3) The "T" in "MLAT" stands for
"treaty"; "agreement" rather than "treaty"
is used for its multilateral form. U.S. ratification of the U.S.-EU MLAT
and its companion extradition agreement required approval of a package
of over 50 agreements, including modified existing extradition and
mutual legal assistance treaties with individual European countries. The
original U.S.-EU agreements were negotiated with 15 member states. In
2004, that number increased to 25 and in 2007 to 27, in each case
requiring the package to be revised and expanded. The agreement on
extradition should streamline current procedures, but while it is quite
useful, it is not as innovative as the MLAT.
(4) See Leslie S. Lebl, "Security Beyond Borders," Policy
Review 130 (April & May 2005), and Leslie S. Lebl, "Advancing
U.S. Interests with the European Union" (Atlantic Council, January
2007), 49-54.
(5) Immediately after September 11, the Treasury Department
subpoenaed the private Belgian organization SWIFT to obtain records of
its transfers, copies of which are stored in the United States and thus
subject to U.S. jurisdiction. After several modifications were
negotiated, SWIFT agreed. This arrangement was the subject of several
inquiries, including one by the European Data Protection Supervisor,
which found that SWIFT had violated EU data-protection laws by
transferring data to U.S. authorities. In June 2007, the U.S. Treasury
and EU officials exchanged letters clarifying the protection accorded to
the financial-transfer information given by SWIFT to U.S. authorities.
(6) See John Rosenthal, "EU Court Threatens U.N. Anti-Terror
Measures," Transatlantic Intelligencer (January 28, 2008).
(7) "Council of Europe Convention for the Protection of
Individuals with regard to Automatic Processing of Personal Data"
(January 28, 1981); "Additional Protocol" (November 8, 2001).
(8) Charlie Savage, "U.S. and Europe Near Agreement on Private
Data," New York Times (June 28, 2008).
(9) "Treaty of Lisbon," new Article 3a, TL/en 14.
(10) In Denmark, for example, both law enforcement and intelligence
fall within a single ministry.
(11) "Treaty of Lisbon," new Article 240b, TL/en 144.
(12) For a discussion of these mechanisms, see Elspeth Guild and
Sergio Carrera, "No Constitutional Treaty? Implications for the
Areas of Freedom, Security and Justice" (Centre for European Policy
Studies October 2005).
(13) "Treaty of Lisbon," new Article 6, TL/en 15.
(14) Sergio Carrera and Florian Geyer, "The Reform Treaty and
Justice and Home Affairs: Implications for the common Area of Freedom,
Security, and Justice" (Centre for European Policy Studies, August
2007), 3.
(15) "Treaty of Lisbon," new Article 69(a)(3), TL/en
85-86. See the discussion in Carrera and Geyer, "Reform
Treaty," 5-6.
(16) "Prum Convention" (Council of the European Union,
July 7, 2005), 10900/05, available at
http://register.consilium.europa.eu/pdf/en/05/st10/st10900.eno5.pdf.
(17) Former U.S. official Stewart Verdery and the Heritage
Foundation's Sally McNamara have expressed concerns. See Charlie
Savage, "European security treaty raises worry," Boston Globe
(November 26, 2007).
(18) See the statement of Bruce Swartz, deputy assistant attorney
general, before the Senate Committee on Foreign Relations (May 20,
2008), 10.
